sendnrw/netbird-docs
2
0
Fork 0
mirror of https://github.com/netbirdio/docs.git synced 2026-04-16 07:26:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Align proxy docs with getting-started.sh: fix image name, Traefik labels, add proxy domain warning and quickstart flow

Browse Source
This commit is contained in:
Ashley Mensah
2026-02-13 19:25:19 +01:00
parent 420d13cb64
commit 820e98e7a1
2 changed files with 77 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
src/pages/selfhosted/migration/enable-reverse-proxy.mdx
View File

@@ -21,7 +21,8 @@ If your current deployment uses a reverse proxy other than Traefik, you'll need
### What you're adding ### What you're adding
- **`netbird-proxy` container** - a new service in your Docker Compose stack that handles TLS termination, certificate provisioning, and traffic forwarding for reverse proxy services - **`proxy` service (container: `netbird-proxy`)** - a new service in your Docker Compose stack that handles TLS termination, certificate provisioning, and traffic forwarding for reverse proxy services
- **`proxy.env` file** - environment variables for the proxy container, including domain, token, and ACME configuration
- **Traefik TCP labels** - routing rules that tell Traefik to pass TLS connections through to the proxy container - **Traefik TCP labels** - routing rules that tell Traefik to pass TLS connections through to the proxy container
- **Wildcard DNS record** - so that all service subdomains (e.g., `myapp.proxy.example.com`) resolve to your server - **Wildcard DNS record** - so that all service subdomains (e.g., `myapp.proxy.example.com`) resolve to your server
- **Proxy access token** - generated via the management CLI, used by the proxy to authenticate with the management server - **Proxy access token** - generated via the management CLI, used by the proxy to authenticate with the management server
@@ -57,7 +58,7 @@ cd netbird-backup-$(date +%Y%m%d)
# Backup configuration files # Backup configuration files
cp ../docker-compose.yml . cp ../docker-compose.yml .
cp ../management.json . cp ../management.json . 2>/dev/null
cp ../*.env . 2>/dev/null || echo "No .env files found" cp ../*.env . 2>/dev/null || echo "No .env files found"
``` ```
@@ -83,26 +84,30 @@ docker exec -it netbird-server netbird-mgmt token revoke <token-id>
### Step 3: Add the proxy service to docker-compose.yml ### Step 3: Add the proxy service to docker-compose.yml
Add the following service to your `docker-compose.yml`. Replace the placeholder values with your actual token and domains: Add the following service to your `docker-compose.yml`. Replace the placeholder values with your actual domains:
```yaml ```yaml
netbird-proxy: proxy:
image: netbirdio/netbird-proxy:latest image: netbirdio/reverse-proxy:latest
container_name: netbird-proxy container_name: netbird-proxy
extra_hosts:
- "netbird.example.com:172.30.0.10"
restart: unless-stopped restart: unless-stopped
networks: [netbird] networks: [netbird]
environment: depends_on:
- NB_PROXY_TOKEN=nbx_your_token_here - netbird-server
- NB_PROXY_DOMAIN=proxy.example.com env_file:
- NB_PROXY_MANAGEMENT_ADDRESS=https://netbird.example.com:443 - ./proxy.env
- NB_PROXY_ACME_CERTIFICATES=true volumes:
- netbird_proxy_certs:/certs
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.tcp.routers.netbird-proxy.rule=HostSNI(`*.proxy.example.com`) - traefik.tcp.routers.proxy-passthrough.entrypoints=websecure
- traefik.tcp.routers.netbird-proxy.entrypoints=websecure - traefik.tcp.routers.proxy-passthrough.rule=HostSNI(`*`)
- traefik.tcp.routers.netbird-proxy.tls.passthrough=true - traefik.tcp.routers.proxy-passthrough.tls.passthrough=true
- traefik.tcp.routers.netbird-proxy.priority=1 - traefik.tcp.routers.proxy-passthrough.service=proxy-tls
- traefik.tcp.services.netbird-proxy.loadbalancer.server.port=8443 - traefik.tcp.routers.proxy-passthrough.priority=1
- traefik.tcp.services.proxy-tls.loadbalancer.server.port=8443
logging: logging:
driver: "json-file" driver: "json-file"
options: options:
@@ -110,15 +115,39 @@ netbird-proxy:
max-file: "2" max-file: "2"
``` ```
Also add the `netbird_proxy_certs` volume to your `volumes:` section:
```yaml
volumes:
# ...existing volumes...
netbird_proxy_certs:
```
Replace `netbird.example.com` in the `extra_hosts` entry with your actual NetBird management domain. This hairpin NAT fix ensures the proxy can reach Traefik's static IP within the Docker network.
Then create a `proxy.env` file with the proxy configuration:
```bash
NB_PROXY_DOMAIN=proxy.example.com
NB_PROXY_TOKEN=nbx_your_token_here
NB_PROXY_MANAGEMENT_ADDRESS=https://netbird.example.com:443
NB_PROXY_ADDRESS=:8443
NB_PROXY_ACME_CERTIFICATES=true
NB_PROXY_ACME_CHALLENGE_TYPE=tls-alpn-01
NB_PROXY_CERTIFICATE_DIRECTORY=/certs
```
Replace `proxy.example.com` with your proxy domain and `netbird.example.com` with your management domain.
The Traefik labels configure a **TCP router** that: The Traefik labels configure a **TCP router** that:
- Matches any request to `*.proxy.example.com` via SNI (Server Name Indication) - Catches any request not matched by higher-priority HTTP routers via `HostSNI(*)` (wildcard)
- Uses the `websecure` entrypoint (port 443) - Uses the `websecure` entrypoint (port 443)
- Passes the TLS connection through **without termination** (`tls.passthrough=true`) - Passes the TLS connection through **without termination** (`tls.passthrough=true`)
- Uses `priority=1` to avoid intercepting traffic meant for the main NetBird HTTP routers on the same entrypoint - Uses `priority=1` to avoid intercepting traffic meant for the main NetBird HTTP routers on the same entrypoint
- Forwards traffic to the proxy container on port 8443 - Forwards traffic to the proxy container on port 8443
<Note> <Note>
Replace `proxy.example.com` in both the `NB_PROXY_DOMAIN` environment variable and the Traefik `HostSNI` rule with your actual proxy domain. These must match. The `HostSNI(*)` rule acts as a catch-all for any domain not matched by the existing NetBird HTTP routers. The `priority=1` ensures this TCP router only handles traffic that no other router claims. Any domain pointing to your server that isn't `netbird.example.com` will be forwarded to the proxy.
</Note> </Note>
### Step 4: Set up wildcard DNS ### Step 4: Set up wildcard DNS
@@ -135,7 +164,7 @@ This ensures that all service subdomains (e.g., `myapp.proxy.example.com`, `dash
```bash ```bash
# Pull the new image # Pull the new image
docker compose pull netbird-proxy docker compose pull proxy
# Start the proxy alongside existing services # Start the proxy alongside existing services
docker compose up -d docker compose up -d
@@ -144,7 +173,7 @@ docker compose up -d
docker compose ps docker compose ps
# Check proxy logs # Check proxy logs
docker compose logs -f netbird-proxy docker compose logs -f proxy
``` ```
You should see log messages indicating the proxy has connected to the management server and is ready to serve traffic. You should see log messages indicating the proxy has connected to the management server and is ready to serve traffic.
@@ -255,6 +284,12 @@ If your self-hosted deployment currently uses Nginx, Caddy, or another reverse p
| `NB_PROXY_CERTIFICATE_FILE` | No | TLS certificate filename within the certificate directory (for static certificate mode). | `tls.crt` | | `NB_PROXY_CERTIFICATE_FILE` | No | TLS certificate filename within the certificate directory (for static certificate mode). | `tls.crt` |
| `NB_PROXY_CERTIFICATE_KEY_FILE` | No | TLS private key filename within the certificate directory (for static certificate mode). | `tls.key` | | `NB_PROXY_CERTIFICATE_KEY_FILE` | No | TLS private key filename within the certificate directory (for static certificate mode). | `tls.key` |
| `NB_PROXY_CERTIFICATE_DIRECTORY` | No | Directory where static certificate files are stored. | `./certs` | | `NB_PROXY_CERTIFICATE_DIRECTORY` | No | Directory where static certificate files are stored. | `./certs` |
| `NB_PROXY_ALLOW_INSECURE` | No | Allow insecure (non-TLS) gRPC connection to the management server. Set to `true` when connecting over an internal Docker network. | `false` |
| `NB_PROXY_FORWARDED_PROTO` | No | Protocol to report in the `X-Forwarded-Proto` header. Set to `https` when TLS is terminated at the proxy. | - |
| `NB_PROXY_OIDC_CLIENT_ID` | No | OIDC client ID for proxy SSO authentication. | - |
| `NB_PROXY_OIDC_ENDPOINT` | No | OIDC discovery endpoint URL for proxy SSO authentication. | - |
| `NB_PROXY_OIDC_SCOPES` | No | Comma-separated list of OIDC scopes to request (e.g., `openid,profile,email`). | - |
| `NB_PROXY_DEBUG_LOGS` | No | Enable debug-level logging. | `false` |
## Troubleshooting ## Troubleshooting
@@ -265,7 +300,7 @@ If your self-hosted deployment currently uses Nginx, Caddy, or another reverse p
**Checklist**: **Checklist**:
1. Verify port 443 is accessible from the internet (required for `tls-alpn-01` challenge) 1. Verify port 443 is accessible from the internet (required for `tls-alpn-01` challenge)
2. Ensure the wildcard DNS record resolves correctly: `dig myapp.proxy.example.com` 2. Ensure the wildcard DNS record resolves correctly: `dig myapp.proxy.example.com`
3. Check proxy logs for ACME errors: `docker compose logs netbird-proxy | grep -i acme` 3. Check proxy logs for ACME errors: `docker compose logs proxy | grep -i acme`
4. If using `http-01` challenge type, ensure port 80 is also accessible 4. If using `http-01` challenge type, ensure port 80 is also accessible
### TLS passthrough not working ### TLS passthrough not working
@@ -275,7 +310,7 @@ If your self-hosted deployment currently uses Nginx, Caddy, or another reverse p
**Checklist**: **Checklist**:
1. Verify Traefik labels include `tls.passthrough=true` 1. Verify Traefik labels include `tls.passthrough=true`
2. Confirm the router is configured as a **TCP** router (not HTTP) - labels should use `traefik.tcp.routers`, not `traefik.http.routers` 2. Confirm the router is configured as a **TCP** router (not HTTP) - labels should use `traefik.tcp.routers`, not `traefik.http.routers`
3. Check that the `HostSNI` rule matches your proxy domain with the wildcard (`*.proxy.example.com`) 3. Check that the `HostSNI` rule is set to `HostSNI(*)` (wildcard catch-all)
4. Verify the TCP router has `priority=1` to prevent it from intercepting traffic meant for the main NetBird HTTP routers 4. Verify the TCP router has `priority=1` to prevent it from intercepting traffic meant for the main NetBird HTTP routers
5. Ensure the `websecure` entrypoint is configured in your Traefik configuration 5. Ensure the `websecure` entrypoint is configured in your Traefik configuration
6. Restart Traefik after adding the proxy container: `docker compose restart traefik` 6. Restart Traefik after adding the proxy container: `docker compose restart traefik`

24
src/pages/selfhosted/selfhosted-quickstart.mdx
View File

@@ -63,6 +63,7 @@ The script generates the following files:
| `docker-compose.yml` | Docker Compose configuration with all services | | `docker-compose.yml` | Docker Compose configuration with all services |
| `config.yaml` | Combined server configuration (management, signal, relay, STUN) | | `config.yaml` | Combined server configuration (management, signal, relay, STUN) |
| `dashboard.env` | Environment variables for the dashboard container | | `dashboard.env` | Environment variables for the dashboard container |
| `proxy.env` | Environment variables for the proxy container (only when proxy is enabled) |
For options 2-4, additional configuration files are generated (e.g., `nginx-netbird.conf`, `caddyfile-netbird.txt`, or `npm-advanced-config.txt`). For options 2-4, additional configuration files are generated (e.g., `nginx-netbird.conf`, `caddyfile-netbird.txt`, or `npm-advanced-config.txt`).
@@ -141,13 +142,30 @@ NetBird includes built-in local user management powered by an embedded <a href="
## Enable the Reverse Proxy Feature ## Enable the Reverse Proxy Feature
The quickstart installation does not include the [Reverse Proxy](/manage/reverse-proxy) feature by default. To enable it, you need to add the `netbird-proxy` container to your deployment and configure a separate proxy domain. When you select the built-in Traefik option (`[0]`), the script asks whether you want to enable the NetBird Proxy service:
```
Do you want to enable the NetBird Proxy service?
The proxy exposes internal NetBird network resources to the internet.
Enable proxy? [y/N]:
```
If you answer `y`, the script prompts for a **proxy domain**:
```
WARNING: The proxy domain MUST NOT be a subdomain of the NetBird management
domain (netbird.example.com). Using a subdomain will cause TLS certificate conflicts.
Enter the domain for the NetBird Proxy (e.g. proxy.my-domain.com):
```
<Warning> <Warning>
The proxy domain **must not** be a subdomain of your NetBird management domain. For example, if your management server is at `netbird.example.com`, do not use `proxy.netbird.example.com`. Use a separate subdomain like `proxy.example.com` instead. Using a subdomain of the management domain causes TLS and routing conflicts between the proxy and management services. The proxy domain **must not** be a subdomain of your NetBird management domain. For example, if your management server is at `netbird.example.com`, do not use `proxy.netbird.example.com`. Use a separate subdomain like `proxy.example.com` instead. Using a subdomain of the management domain causes TLS certificate conflicts.
</Warning> </Warning>
See the [Enable Reverse Proxy migration guide](/selfhosted/migration/enable-reverse-proxy) for step-by-step instructions on adding the proxy to an existing deployment, including token generation, Docker Compose configuration, and DNS setup. The script then automatically generates a proxy access token, creates a `proxy.env` configuration file, and starts the proxy container alongside the other services. Point a wildcard DNS record (`*.proxy.example.com`) to your server's IP address so that service subdomains resolve correctly.
If you skipped the proxy during initial setup, you can add it later by following the [Enable Reverse Proxy migration guide](/selfhosted/migration/enable-reverse-proxy).
## Maintenance ## Maintenance